Use map for subnet and security group selectors

fiunchinho · fiunchinho · commit da960105d320 · 2025-07-09T23:44:27.000+02:00
diff --git a/api/v1alpha1/karpentermachinepool_types.go b/api/v1alpha1/karpentermachinepool_types.go
@@ -120,20 +120,14 @@ type EC2NodeClassSpec struct {
 	// Owner is the owner for the ami.
 	// You can specify a combination of AWS account IDs, "self", "amazon", and "aws-marketplace"
 	AMIOwner string `json:"amiOwner,omitempty"`
-	// - name: flatcar-stable-{{ $.Values.baseOS }}-kube-{{ $.Values.k8sVersion }}-tooling-{{ $.Values.toolingVersion }}-gs
-	//		//      owner: {{ int64 $.Values.amiOwner | quote }}
 
 	// SecurityGroups specifies the security groups to use
 	// +optional
-	SecurityGroups []string `json:"securityGroups,omitempty"`
+	SecurityGroups map[string]string `json:"securityGroups,omitempty"`
 
 	// Subnets specifies the subnets to use
 	// +optional
-	Subnets []string `json:"subnets,omitempty"`
-
-	// UserData specifies the user data to use
-	// +optional
-	UserData *string `json:"userData,omitempty"`
+	Subnets map[string]string `json:"subnets,omitempty"`
 
 	// Tags specifies the tags to apply to EC2 instances
 	// +optional
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_karpentermachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_karpentermachinepools.yaml
@@ -65,23 +65,20 @@ spec:
                       You can specify a combination of AWS account IDs, "self", "amazon", and "aws-marketplace"
                     type: string
                   securityGroups:
-                    description: SecurityGroups specifies the security groups to use
-                    items:
+                    additionalProperties:
                       type: string
-                    type: array
+                    description: SecurityGroups specifies the security groups to use
+                    type: object
                   subnets:
-                    description: Subnets specifies the subnets to use
-                    items:
+                    additionalProperties:
                       type: string
-                    type: array
+                    description: Subnets specifies the subnets to use
+                    type: object
                   tags:
                     additionalProperties:
                       type: string
                     description: Tags specifies the tags to apply to EC2 instances
                     type: object
-                  userData:
-                    description: UserData specifies the user data to use
-                    type: string
                 type: object
               iamInstanceProfile:
                 description: |-
diff --git a/controllers/karpentermachinepool_controller.go b/controllers/karpentermachinepool_controller.go
@@ -416,6 +416,28 @@ func (r *KarpenterMachinePoolReconciler) createOrUpdateEC2NodeClass(ctx context.
 	// Generate user data for Ignition
 	userData := r.generateUserData(awsCluster.Spec.S3Bucket.Name, cluster.Name, karpenterMachinePool.Name)
 
+	// Add security groups tag selector if specified
+	securityGroupTagsSelector := map[string]string{
+		fmt.Sprintf("sigs.k8s.io/cluster-api-provider-aws/cluster/%s", cluster.Name): "owned",
+		"sigs.k8s.io/cluster-api-provider-aws/role":                                  "node",
+	}
+	if karpenterMachinePool.Spec.EC2NodeClass != nil && len(karpenterMachinePool.Spec.EC2NodeClass.SecurityGroups) > 0 {
+		for securityGroupTagKey, securityGroupTagValue := range karpenterMachinePool.Spec.EC2NodeClass.SecurityGroups {
+			securityGroupTagsSelector[securityGroupTagKey] = securityGroupTagValue
+		}
+	}
+
+	// Add subnet tag selector if specified
+	subnetTagsSelector := map[string]string{
+		fmt.Sprintf("sigs.k8s.io/cluster-api-provider-aws/cluster/%s", cluster.Name): "owned",
+		"giantswarm.io/role": "nodes",
+	}
+	if karpenterMachinePool.Spec.EC2NodeClass != nil && len(karpenterMachinePool.Spec.EC2NodeClass.Subnets) > 0 {
+		for subnetTagKey, subnetTagValue := range karpenterMachinePool.Spec.EC2NodeClass.Subnets {
+			subnetTagsSelector[subnetTagKey] = subnetTagValue
+		}
+	}
+
 	operation, err := controllerutil.CreateOrUpdate(ctx, workloadClusterClient, ec2NodeClass, func() error {
 		// Build the EC2NodeClass spec
 		spec := map[string]interface{}{
@@ -427,29 +449,17 @@ func (r *KarpenterMachinePoolReconciler) createOrUpdateEC2NodeClass(ctx context.
 				},
 			},
 			"instanceProfile": karpenterMachinePool.Spec.IamInstanceProfile,
-			"userData":        userData,
-		}
-
-		// Add security groups if specified
-		if karpenterMachinePool.Spec.EC2NodeClass != nil && len(karpenterMachinePool.Spec.EC2NodeClass.SecurityGroups) > 0 {
-			spec["securityGroupSelectorTerms"] = []map[string]interface{}{
+			"securityGroupSelectorTerms": []map[string]interface{}{
 				{
-					"tags": map[string]string{
-						"Name": karpenterMachinePool.Spec.EC2NodeClass.SecurityGroups[0], // Using first security group for now
-					},
+					"tags": securityGroupTagsSelector,
 				},
-			}
-		}
-
-		// Add subnets if specified
-		if karpenterMachinePool.Spec.EC2NodeClass != nil && len(karpenterMachinePool.Spec.EC2NodeClass.Subnets) > 0 {
-			spec["subnetSelectorTerms"] = []map[string]interface{}{
+			},
+			"subnetSelectorTerms": []map[string]interface{}{
 				{
-					"tags": map[string]string{
-						"Name": karpenterMachinePool.Spec.EC2NodeClass.Subnets[0], // Using first subnet for now
-					},
+					"tags": subnetTagsSelector,
 				},
-			}
+			},
+			"userData": userData,
 		}
 
 		// Add tags if specified
diff --git a/controllers/karpentermachinepool_controller_test.go b/controllers/karpentermachinepool_controller_test.go
@@ -500,9 +500,8 @@ var _ = Describe("KarpenterMachinePool reconciler", func() {
 						EC2NodeClass: &karpenterinfra.EC2NodeClassSpec{
 							AMIName:        AMIName,
 							AMIOwner:       AMIOwner,
-							SecurityGroups: []string{KarpenterNodesSecurityGroup},
-							Subnets:        []string{KarpenterNodesSubnets},
-							// UserData:       nil,
+							SecurityGroups: map[string]string{"my-target-sg": "is-this"},
+							Subnets:        map[string]string{"my-target-subnet": "is-that"},
 							// Tags:           nil,
 						},
 						IamInstanceProfile: KarpenterNodesInstanceProfile,
@@ -802,7 +801,7 @@ var _ = Describe("KarpenterMachinePool reconciler", func() {
 								// Assert the security group name field
 								securityGroupTags, ok := securityGroupSelectorTerm0["tags"].(map[string]interface{})
 								Expect(ok).To(BeTrue(), "expected tags to be a map[string]string")
-								Expect(securityGroupTags["Name"]).To(Equal(KarpenterNodesSecurityGroup))
+								Expect(securityGroupTags["my-target-sg"]).To(Equal("is-this"))
 
 								// 	Assert subnets are the expected ones
 								subnetSelectorTerms, found, err := unstructured.NestedSlice(ec2nodeclassList.Items[0].Object, "spec", "subnetSelectorTerms")
@@ -815,7 +814,7 @@ var _ = Describe("KarpenterMachinePool reconciler", func() {
 								// Assert the security group name field
 								subnetTags, ok := subnetSelectorTerm0["tags"].(map[string]interface{})
 								Expect(ok).To(BeTrue(), "expected tags to be a map[string]string")
-								Expect(subnetTags["Name"]).To(Equal(KarpenterNodesSubnets))
+								Expect(subnetTags["my-target-subnet"]).To(Equal("is-that"))
 
 								// 	Assert userdata is the expected one
 								userData, found, err := unstructured.NestedString(ec2nodeclassList.Items[0].Object, "spec", "userData")
@@ -1017,9 +1016,8 @@ var _ = Describe("KarpenterMachinePool reconciler", func() {
 				},
 				Spec: karpenterinfra.KarpenterMachinePoolSpec{
 					EC2NodeClass: &karpenterinfra.EC2NodeClassSpec{
-						SecurityGroups: []string{KarpenterNodesSecurityGroup},
-						Subnets:        []string{KarpenterNodesSubnets},
-						// UserData:       nil,
+						SecurityGroups: map[string]string{"my-target-sg": "is-this"},
+						Subnets:        map[string]string{"my-target-subnet": "is-that"},
 						// Tags:           nil,
 					},
 					IamInstanceProfile: KarpenterNodesInstanceProfile,
diff --git a/helm/aws-resolver-rules-operator/templates/infrastructure.cluster.x-k8s.io_karpentermachinepools.yaml b/helm/aws-resolver-rules-operator/templates/infrastructure.cluster.x-k8s.io_karpentermachinepools.yaml
@@ -65,23 +65,20 @@ spec:
                       You can specify a combination of AWS account IDs, "self", "amazon", and "aws-marketplace"
                     type: string
                   securityGroups:
-                    description: SecurityGroups specifies the security groups to use
-                    items:
+                    additionalProperties:
                       type: string
-                    type: array
+                    description: SecurityGroups specifies the security groups to use
+                    type: object
                   subnets:
-                    description: Subnets specifies the subnets to use
-                    items:
+                    additionalProperties:
                       type: string
-                    type: array
+                    description: Subnets specifies the subnets to use
+                    type: object
                   tags:
                     additionalProperties:
                       type: string
                     description: Tags specifies the tags to apply to EC2 instances
                     type: object
-                  userData:
-                    description: UserData specifies the user data to use
-                    type: string
                 type: object
               iamInstanceProfile:
                 description: |-
